javajakarta-eejettyjetty-8jaspic

How to use JASPI/JASPIC on Jetty?


On Jetty's main project page compatibility with JASPI (JASPIC/JSR 196) is mentioned.

However, the distribution of Jetty 8 does not seem to contain any classes related to JASPI. There's a jetty-security-8.1.8.v20121106.jar jar in [jetty home]/lib, but this one does not contain any of the JASPIC/JASPI types.

The documentation about JASPIC/JASPI on the Jetty wiki is only a placeholder and does not contain any information.

After some Googling I found JavaDocs on the Eclipse site and discovered there should be a jetty-jaspi-8.1.8.v20121106.jar somewhere. Those JavaDocs are included in the distribution as well. Finally, a jetty-jaspi repo appears at Github.

Obviously there is some amount of support available, but why are those classes seemingly not present in the Jetty distribution and where is the documentation on how to configure this? What am I missing?


Solution

  • This project (https://github.com/guofengzh/jaspi-on-jetty) is a working example of the JASPI API in jetty that uses geronimo-jaspi which in turn calls back to the jetty-jaspi modules for the authentication. Geronimo seems to be providing the configuration mechanism and jetty the authentication modules themselves in this example.

    It seems as though you can select a form, digest or basic authentication methods. A quick test of the form based login has shown it appears to function.

    The Jaspi authentication factory is setup in jetty-web.xml like so:

    <Set name="securityHandler">
      <New class="org.eclipse.jetty.security.ConstraintSecurityHandler">
        <Set name="loginService">
          <New class="org.eclipse.jetty.plus.jaas.JAASLoginService">
            <Set name="name">JAASRealm</Set>
            <Set name="loginModuleName">jaas</Set>
          </New>
        </Set>
    
        <Set name="authenticatorFactory">
          <New class="org.eclipse.jetty.security.jaspi.JaspiAuthenticatorFactory" />
        </Set>
      </New>
    </Set>
    

    And the jaspi configuration file is referenced via a system property in the pom.xml file:

    <systemProperty>
      <name>org.apache.geronimo.jaspic.configurationFile</name>
      <value>./conf/jaspi/form-test-jaspi-2.xml</value>
    </systemProperty>
    

    Additionally, the jaspi library you mentioned is added as a dependency in the pom, along with the geronimo jaspi implementation:

    <dependency>
      <groupId>org.eclipse.jetty</groupId>
      <artifactId>jetty-jaspi</artifactId>
      <version>${jetty.version}</version>
    </dependency>
    <dependency>
      <groupId>org.apache.geronimo.components</groupId>
      <artifactId>geronimo-jaspi</artifactId>
      <version>2.0.0</version>
    </dependency>
    

    I have also been unable to find documenation on the topic. It seems as though the jetty-jaspi module is not one of the standard start options, but could be added to the ${jetty.home/lib/ext} directory (see Jetty classloading).